Vulnerability in Pre-Installed App Allows Arbitrary AT Commands Execution

CVE-2023-38293

Summary

Certain software builds for Nokia C200 and Nokia C100 Android devices include a vulnerable pre-installed application identified as com.tracfone.tfstatus. This application permits local third-party applications to execute arbitrary AT commands, resulting from insufficient access control and inadequate input filtering mechanisms. The exploitation does not require special permissions or user privileges; it merely involves the installation and execution of a malicious third-party application. The vulnerability enables attackers to send a broadcast Intent to the component com.tracfone.tfstatus/.TFStatus, which subsequently initializes a vulnerable activity using user-controlled strings. This allows for the successful injection of arbitrary AT commands through two distinct techniques.

References